// Trust & Security Report

    Observe.AI, Inc. logo

    Observe.AI, Inc.

    Agentic AI platform for customer experience (CX) contact centers. Sub-products: AI Agents for Customers (voice/chat resolution), AI Agents for Frontline Teams (real-time copilot/guidance), AI Agents for Operations (conversation intelligence, QA/evaluation, coaching, insights).

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II – Independent audit of security, availability, confidentiality, and privacy controls.

    Verify on trust.observe.ai
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 – Information Security Management System certification.

    Verify on trust.observe.ai
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    Observe.AI uses ISO 42001 as the base to implementing AI framework and governance. ... ISO 42001:2023 Certificate [downloadable resource]

    Verify on trust.observe.ai
    PCI DSS (Level 1 Service Provider, v4.0.1)
    HELD

    PCI DSS Level 1 Service Provider – Highest level of certification for handling payment card data. ... PCI Level 1 DSS v4.0.1 Certification [downloadable resource]

    Verify on trust.observe.ai
    HITRUST r2 (HIPAA)
    HELD

    HITRUST r2 – Comprehensive framework for security and risk management in healthcare-related environments. ... HITRUST_r2_Certificate (HIPAA) [downloadable resource]

    Verify on trust.observe.ai
    HIPAA (safeguards for PHI)
    HELD

    HIPAA – Safeguards for processing and protecting Protected Health Information (PHI).

    Verify on trust.observe.ai
    GDPR / CCPA (privacy compliance posture, not a certification)
    HELD

    GDPR & CCPA – Compliance with global privacy regulations as a data processor, supported by a Data Processing Addendum (DPA)

    Verify on trust.observe.ai
    EU AI Act conformance
    HELD

    EU AI Act-Compliant [claim on trust page]; trust portal also lists a downloadable 'Observe.AI EU AI Act Feature conformance report'.

    Verify on observe.ai
    > Show 2 unconfirmed / not-held certifications
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or attestation found on the vendor's trust center or security pages.

    source: trust.observe.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on the vendor's trust center or site.

    source: trust.observe.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Customer data can be stored in US West-2, EU West, or Australia depending on contract (per trust portal, https://trust.observe.ai/). Contradicts an older/legacy GDPR privacy notice on the corporate site (https://www.observe.ai/gdpr-privacy) which states data is stored on AWS in the USA only, not in the EU. This is an unresolved contradiction between a legacy privacy notice and the current trust center; flagged below.

    Nuanced: Observe.AI's trust-center FAQ states enterprise LLMs (e.g. GPT, AWS Bedrock) are used 'solely for inference' under agreements that 'prohibit data use for training' by the underlying model providers, and that Observe.AI's own model training uses 'public, permissioned, and anonymized data.' However, the vendor's own published Data Processing Addendum contains a distinct, broader clause: 'Customer expressly instructs and authorizes Observe.AI to use Customer Data to train, develop, test, and improve customer-specific AI models,' and separately permits use of de-identified/anonymized/aggregated data for general (cross-customer) model improvement. This is a contract-level opt-in (customer-specific model training with consent) that is materially different from the trust-center marketing framing of 'inference-only.' Procurement teams should read the live DPA and confirm per-contract training scope and opt-out options rather than relying on the trust-center FAQ alone.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    trust.observe.ai

    Encryption at rest

    AES-256; customer-managed encryption keys supported

    trust.observe.ai

    Authentication

    SSO (multiple IdPs), MFA, and SCIM provisioning supported

    trust.observe.ai

    PII/PHI/PCI redaction

    Automated detection and redaction of PII, PHI, PCI data from transcripts, audio, and text prior to storage/processing

    trust.observe.ai

    Data residency

    US West-2, EU West, or Australia, per customer contract (per trust portal; conflicts with a legacy GDPR notice claiming US-only storage, see privacy.data_region note)

    trust.observe.ai

    Data subject / DSR handling

    Supports and can automate data subject request (DSR) handling for GDPR/CCPA

    trust.observe.ai

    Uptime SLA

    ≥ 99.9% uptime claimed

    observe.ai

    Penetration testing

    Trust portal lists recent external network and application VAPT (vulnerability assessment/penetration test) reports available on request (Full External Network VAPT, Post Call VAPT, Voice AI and Copilot VAPT, dated Jan 2026)

    trust.observe.ai

    // Products & data scope

    AI Agents for CustomersCustomer-facing conversational AI (voice/chat resolution)

    data: Customer call/chat transcripts, PII/PCI/PHI within conversations, CRM/CCaaS data via integrations

    Certified under the same unified security program as the rest of the platform per trust portal claim ('all of our products ... are certified').

    AI Agents for Frontline TeamsReal-time agent-assist / copilot

    data: Live call audio/transcript, agent screen context, knowledge base content

    Same unified compliance program as above.

    AI Agents for OperationsConversation intelligence, QA automation, evaluation and coaching

    data: Historical call/chat recordings and transcripts, QA scorecards, performance data

    Same unified compliance program as above; this is the module most likely to touch large volumes of historical PHI/PCI in regulated verticals (healthcare, fintech).

    // What to watch

    • Data residency contradiction: current trust portal (trust.observe.ai) states customer data can be stored in US, EU, or Australia per contract, while the corporate site's GDPR Privacy Notice (www.observe.ai/gdpr-privacy) states data is stored only on AWS in the USA, not in the EU. This looks like a legacy privacy notice that has not been updated to match the newer trust-center/product claims; procurement should get written confirmation of actual data residency for any EU deal.
    • AI-training nuance/possible over-claim: the trust-center FAQ frames model usage as 'inference-only' with anonymized training data, but the vendor's own Data Processing Addendum contains a broader clause authorizing use of Customer Data to train customer-specific AI models (with consent) and use of de-identified/aggregated data for general model improvement across customers. This is a legitimate, disclosed contract term but is not visible from the trust-center marketing copy alone, so a buyer relying only on the trust page could be misled about training scope.
    • Underlying cert documents (ISO 27001 certificate, SOC 2 report, PCI certification, HITRUST certificate, ISO 42001 certificate) are gated behind a 'Request access' NDA-walled trust portal login; this assessment relies on the vendor's own summary/marketing text describing those certifications rather than the primary certificate/report PDFs, which could not be independently opened.
    • HITRUST r2 and ISO 42001 claims were confirmed on two of the vendor's own domains (trust.observe.ai and www.observe.ai/trust) but not independently corroborated by third-party press; treat as vendor-asserted pending direct document review.

    // At a glance

    Pricing model

    Enterprise contract-based (no public self-serve pricing found); positioned for mid-market to large enterprise contact centers

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Observe.AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.observe.ai

    > Browse all vendor trust reports